05-15-2014 02:10 AM
A customer need a SSID to have WPA2-PSK as authentication method to be able to connect devices that do not support 802.1x och Captive Portal.
But they would like to be able to grand only specific devices access to this SSID by letting ClearPass verify if the device is approved or not.
Is it possible to combine WPA2-PSK authentication with an additional check sent to ClearPass? Maybe a auhtorization request?
Jonas Erlund Hammarbäck
Solved! Go to Solution.
05-15-2014 02:46 AM
You would need to find the AAA profile for the WPA2-PSK WLAN and add a mac authentication profile to it. http://www.arubanetworks.com/techdocs/ArubaOS_63_W
You would then setup mac-based authentication in ClearPass (I don't have a web link for that, but it should be in the help).
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
05-15-2014 05:16 AM
Keep in mind as well that Clearpass offers a unique authentication source called "Allow All MACAUTH" WIth this, we can leverage other context outside of maintaining a MAC address database for these users.
Essentially, Clearpass will allow any MAC address as valid for mac auth purposes. Then, with policy, you can assign roles or deny access based on other variables such as:
MAC OUI (Connection:Client-MAC-Address BEGINS WITH <value>)
MAC Vendor (Connection:Client-MAC-Vendor CONTAINS <value>)
Profile Info (Authorization:[Endpoints Repository]:Category OR OS Family CONTAINS <value>)
Hostname (Authorization:[Endpoints Repository]:Hostname CONTAINS <value>)
Or even a Custom Attribute YOU add to the Endpoint DB record for the device
All in all, you can write a very secure/granular policy without having to maintain specific MAC addresses
Consulting Systems Engineer - ACCX, ACDX, ACMX
If you found my post helpful, please give kudos
05-15-2014 06:10 AM
The method "Allow All MACAUTH" combined with custom attributes in the Endpoints Repository will be the best solution for our porposes as I can see now.
Thanks for the tip!
Jonas Erlund Hammarbäck
05-18-2016 02:29 PM
I love when a "Search Airheads" hit gives me exactly what I need to solve today's (current) problem!
if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it